i have 4 different types of department IT team, Development, Training, marketing. I want IT team to have full permission to login to any machine on any department. other users on other department only has permission to login in their own department. my server is 2008 server

2 Answers
2

Then create an equivalent security group under Users (or whichever OU your users live in).

Make sure that all of the departmental computers belong to the department computer security group, and make sure that all of the people belong to the department user security group.

Then go to the properties on the user security groups, click the Account tab, click "log on to", select "The following computers", type/find the computer security group appropriate for that group. Click OK.

Do that for each, and that should limit each user to only being able to log into their appropriate computers.

For this to work, I believe you will need to create an OU for each department's computers in addition to security groups for each department's users. I would create an OU called "Workstations", and create child OUs in the Workstations OU for each department. Then I would probably create a GPO for each OU to restrict which security groups are members of the Users group.